Hacking prison – lessons learned from recent data breach
Did you ever think that a hacker could spring a prisoner out of jail? A hack like this is no longer an imaginary plot for serial movies like “Mr. Robot” or a potential for “Prison Break”. It fell outside of the fictional world turning into a real-life event.
According to the recent news, a Michigan hacker broke into his local prison’s computing system to release a friend. He performed a sophisticated scheme using malware, phishing, and social engineering techniques in an attempt to trick the workers into downloading and running malware on their computers.
Finally, the attacker managed to gain full access to the county network, including search warrant affidavits, internal discipline records and more than 1,600 employees’ personal data.
As a result, jail officials had to pay $235,488 to fix all mess, and now this daredevil faces his own time in jail.
Unfortunately, this is not the only case and let’s dig into what happened earlier, what people think about this attack and what lessons we can learn.
Hacking prison – History
The Michigan incident was a typical email spear-phishing, and it comes as no surprise that there are other methods of hacking prisons.
We interviewed people who are familiar with this area, and it turned out that industries were aware of similar examples that weren’t publicly known.
There have been numerous attack on our BOP [Federal Bureau of Prisons] system over the years.
claims Bruce W. Cameron, a former Federal Prison official.
One of Britain’s most notorious cybercriminal, who was jailed for five years in 2011 managed to sneak into a prison computer class and hack the network there. The prison blamed a teacher for a crucial mistake of letting join in the lesson.
Another high profile case was back to 2013, when two convicted killers walked out of a Florida prison with the help of forged court documents.
Therefore, we see cases where attacks were against processes not exactly software or hardware.
Instances where motions were made to judges to transport on writ or for immediate release have been nearly effected. Staff almost loaded the release orders and it was a very close call.
says Bruce W. Cameron.
At Defcon 19, a hacking conference, researchers delivered a presentation aimed at “providing support for wardens and corrections administrators to get funding to fix the issues”. They showed that malicious actors could easily open jail doors and take a chance to release prisoners by exploiting a vulnerability in an electronic security system.
It’s important to note that depending on the level of process automation, attacks may be automated as well.
As of the Michigan hacker, he accessed an XJail application. This program is used for monitoring and tracking prisoners in a county jail. Although he accessed this system via the malware and phishing, these applications like any other business-oriented ones, may have vulnerabilities. What counts here is that hackers may sometimes access them without malware or any access to internal network.
Hacking prison – Alternative way
If you write “xjail” in the search, you will find remotely accessible systems to make an appointment with prisoners of various prisons.
With the help of this service, one can get personal information, sentences of prisoners, etc. It is the system that provides any hacker with all sensitive data.
Seeking to release a friend, a hacker is able to find vulnerabilities in this software such as those covered in OWASP TOP 10 and get unauthorized access.
Hacking prison – Lessons learned
For each industry, there are various specific applications. In terms of prisons, the security of systems remains at a low level and if attackers need to hack them, it would not as difficult as it might seem. To ensure complete safety, it is not enough to conduct simple audits. It is also necessary to conduct safety checks for industry-specific applications.
state ERPScans’ researchers.
Cybersecurity researchers constantly warn of possible breaches targeted organizations and employees. While their alerts are ignored, there is ample evidence that hacks will continue to pop up creating chaos and taunting officials.